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Contractor  Self-Governance  Programs 


Executive  Summary 


Introduction.  DoD  prime  contract  awards  for  more  than  $25,000  totaled  $125  billion 
during  FY  1998.  A  properly  implemented  and  effective  contractor  self-governance 
program  allows  DoD  to  limit  its  oversight  of  the  acquisition  process.  Self-governance, 
also  known  as  corporate  governance,  is  a  process  through  which  a  company  takes 
responsibility  for  implementing  and  enforcing  legal  and  ethical  conduct.  The  key 
component  of  self-governance  is  a  strong  and  effective  ethics  program.  An  ethics 
program  consists  of  policies  and  procedures  that  define  and  implement  the  company’s 
code  of  conduct.  An  ethics  program  should  establish  a  culture  within  a  company  that 
promotes  prevention,  detection,  and  resolution  of  instances  of  conduct  that  do  not 
conform  to  Federal,  State,  and  local  law;  Federal  and  DoD  contract  regulations;  and 
the  company’s  own  internal  ethical  and  business  policies  and  procedures. 

Evaluation  Objectives.  The  objective  of  the  evaluation  was  to  determine  the  adequacy 
of  the  Defense  Contract  Audit  Agency  reviews  and  reports  on  contractor  self- 
governance  programs. 

Evaluation  Results.  The  Defense  Contract  Audit  Agency  performs  a  review  of  a 
contractor’s  ethics  program  as  part  of  its  internal  control  system  review  of  the  control 
environment  and  accounting  system.  The  review  did  not,  however,  cover  all  elements 
of  a  management  control  system  as  defined  in  the  Defense  Federal  Acquisition 
Regulation  Supplement  subpart  203.70,  “Contractor  Standards  of  Conduct.” 

Therefore,  although  the  internal  control  review  covered  the  areas  noted  in  the  auditing 
standards,  it  did  not  address  the  additional  areas  unique  to  the  DoD  business 
environment.  In  addition,  the  audit  coordination  process  between  audit  offices 
cognizant  of  certain  contractor  corporate  offices  and  those  cognizant  of  related 
contractor  entities  needed  improvement.  Finally,  improvements  could  have  been  made 
to  the  testing  of  controls  for  certain  audit  steps.  For  details  of  the  evaluation  results, 
see  the  Finding  section  of  the  report. 

Management  Actions.  In  May  1999,  the  Defense  Contract  Audit  Agency  clarified  its 
audit  guidance  for  testing  controls.  Management  agreed  to  revise  existing  audit 
guidance  to  ensure  appropriate  coverage  of  the  criteria  in  Defense  Federal  Acquisition 
Regulation  Supplement  203.7001,  “Procedures.”  Management  will  also  clarify 
guidance  on  audit  coordination  between  offices  cognizant  of  certain  contractor 
corporate  offices  and  those  cognizant  of  related  contractor  entities.  These  actions  are 
fully  responsive  to  our  concerns;  therefore,  no  recommendations  have  been  made. 

Management  Comments.  We  provided  a  draft  of  this  report  on  March  13,  2000. 
Because  this  report  contains  no  recommendations,  no  written  comments  were  required, 
and  none  were  received.  Therefore,  we  are  publishing  this  report  in  final  form. 
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Background 


DoD  annually  conducts  business  with  thousands  of  prime  contractors  and 
hundreds  of  thousands  of  other  suppliers,  vendors,  and  subcontractors.  In 
FY  1999,  DoD  prime  contract  awards  for  more  than  $25,000  totaled 
$125  billion.  The  top  25  contractors  and  their  subsidiaries  received  $58  billion, 
or  46.4  percent  of  all  contract  awards  for  more  than  $25,000.  The  top  100  DoD 
contractors  and  their  subsidiaries  received  $75.5  billion,  or  60.3  percent  of  all 
awards,  primarily  for  aircraft,  missile/space  systems,  ships,  and  electronics  and 
communications  equipment.  For  DoD  to  successfully  procure  and  distribute  all 
the  goods  and  services  it  requires,  DoD  and  its  contractors  must  work 
harmoniously  with  each  other.  No  matter  how  many  auditors,  inspectors, 
investigators,  and  procurement  or  contracting  officials  DoD  employs,  they 
cannot  fully  oversee  DoD  contractors  and  completely  protect  DoD  and  the 
taxpayers’  interests  on  their  own.  Although  DoD  oversight  is  needed,  the 
process  can  work  efficiently  and  effectively  only  if  contractors  implement 
appropriate  self-governance  activities. 

Self-governance,  also  known  as  corporate  governance,  is  a  process  through 
which  a  company  takes  responsibility  for  implementing  and  enforcing  legal  and 
ethical  conduct.  The  key  component  of  self-governance  is  a  strong  and  effective 
ethics  program.  An  ethics  program  consists  of  policies  and  procedures  that 
define  and  implement  the  company’s  code  of  conduct.  As  part  of  the  process,  a 
company  should  also  implement  compliance  monitoring  systems.  An  ethics 
program  should  establish  a  culture  within  a  company  that  promotes  prevention, 
detection,  and  resolution  of  conduct  that  does  not  conform  to  Federal,  State,  and 
local  law;  Federal  and  DoD  contract  regulations;  and  the  company’s  own 
internal  ethical  and  business  policies  and  procedures. 

Packard  Commission.  In  response  to  reported  DoD  contractor  abuses,  the 
President’s  Blue  Ribbon  Commission  on  Defense  Management  (the  Packard 
Commission)  was  formed  in  1985  to  review  DoD  industry  relations  and  make 
recommendations  for  improvements.  In  1986,  the  Packard  Commission  issued 
its  final  report,  which  stated  that  major  improvements  in  contractor  self- 
governance  were  essential.  The  report  recommended  that  contractors  issue  and 
enforce  written  codes  of  conduct  addressing  their  unique  situations;  establish 
procedures  for  employees  to  report  apparent  misconduct  directly  to  senior 
management  or  the  audit  committee;  provide  training  to  employees  on  internal 
policies  and  procedures  relating  to  ethics;  establish  compliance  monitoring 
systems;  develop  and  implement  a  system  of  internal  controls  relating  to  its 
ethics  program;  and  give  the  independent  audit  committee  the  responsibility  for 
overseeing  corporate  compliance  programs. 

Defense  Industry  Initiatives  on  Business  Ethics  and  Conduct.  In  response  to 
the  Packard  Commission  report,  DoD  industry  leaders  committed  themselves  to 
adopting  and  implementing  principles  of  business  ethics  and  conduct  that 
address  their  corporate  responsibilities  under  Federal  procurement  laws.  Many 
large  DoD  contractors  joined  and  pledged  to  establish  and  adhere  to  written 
codes  of  ethics;  train  their  employees  in  these  codes;  encourage  employees  to 
report  violations  of  the  codes  without  fear  of  retribution;  monitor  compliance 
with  laws  relating  to  DoD  procurement;  adopt  procedures  for  voluntary 
disclosure  of  violations  and  take  needed  corrective  actions;  participate  in  an 
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annual  best  practices  forum  to  share  experiences  in  implementing  the  initiatives; 
and  have  outside  or  nonemployee  members  on  their  boards  of  directors  review 
compliance  with  the  initiatives. 

Management  Controls  for  an  Ethics  Program.  The  Defense  Federal 
Acquisition  Regulation  Supplement  (DFARS)  subpart  203.70,  “Contractor 
Standards  of  Conduct,”  provides  elements  of  a  system  of  management  controls 
for  a  contractor  ethics  program.  These  elements  closely  parallel  those 
established  by  the  Defense  Industry  Initiatives,  including: 

•  a  written  code  of  business  ethics  and  conduct  and  an  ethics  training 
program  for  all  employees; 

•  periodic  reviews  of  company  business  practices,  procedures  and 
policies,  and  internal  controls  for  compliance  with  standards  of 
conduct; 

•  a  mechanism  such  as  a  hotline  for  employees  to  report  suspected 
improper  conduct,  and  instructions  that  encourage  employees  to 
make  such  reports; 

•  internal  and  external  audits,  as  appropriate; 

•  disciplinary  action  for  improper  conduct; 

•  timely  reporting  to  appropriate  Government  officials  of  any  suspected 
or  possible  violation  of  law  in  connection  with  Government  contracts 
or  any  other  irregularities  in  connection  with  such  contracts;  and 

•  full  cooperation  with  any  Government  agencies  responsible  for  either 
investigation  or  corrective  actions. 

If  properly  implemented,  these  elements  should  promote  an  effective  ethics 
program. 

Contract  Awards.  Federal  Acquisition  Regulation  (FAR)  subpart  9. 1 , 
“Responsible  Prospective  Contractors,”  provides  policies,  procedures,  and 
standards  for  determining  whether  a  prospective  contractor  is  responsible.  The 
FAR  requires  contracting  officers  to  determine  that  prospective  contractors  are 
responsible.  One  of  the  seven  standards  in  FAR  9. 104-1  for  determining 
responsibility  is  that  the  contractor  must  have  a  satisfactory  record  of  integrity 
and  business  ethics. 

DoD  Use  of  Contractor  Ethics  Program  Information.  Current  regulations  do 
not  require  other  DoD  agencies  and  departments,  such  as  the  Defense  Contract 
Management  Agency  (DCMA),  to  routinely  review  or  use  information  directly 
related  to  a  contractor’s  ethics  program  during  the  contracting  process. 
Contracting  officers  can  consider  relevant  information,  if  available,  during 
determination  of  a  prospective  contractor’s  present  responsibility  or  evaluation 
of  a  contractor’s  past  performance.  In  the  past,  the  Defense  Logistics  Agency 
(DLA)  Office  of  General  Counsel  has  reviewed  some  contractor  ethics  programs 
on  request.  However,  the  DLA  Office  of  General  Counsel  headquarters 
personnel  have  not  been  requested  to  perform  an  ethics  program  review  since 
1996.  In  general,  DoD  officials  responsible  for  establishing  settlement 
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agreements  make  the  most  direct  use  of  information  about  a  contractor’s  ethics 
program.  These  officials  may  review  a  contractor’s  ethics  program  before  and 
after  developing  a  settlement  agreement  in  lieu  of  suspension  or  debarment.  As 
part  of  this  process,  DoD  officials  may  use  Defense  Contract  Audit  Agency 
(DCAA)  internal  control  system  reports  containing  information  on  a  contractor’s 
ethics  program.  Such  information  may  also  be  helpful  if  a  situation  arises 
involving  application  of  the  Federal  sentencing  guidelines. 

Objectives 


The  overall  evaluation  objective  was  to  determine  the  adequacy  of  the  DCAA 
reviews  and  reports  on  contractor  self-governance  programs.  Specifically,  we 
determined  whether  DCAA  appropriately  assessed  and  reported  on  the  adequacy 
of  contractor  self-governance  programs,  such  as  employee  awareness  training, 
contractor  hotlines,  and  voluntary  disclosures.  See  Appendix  A  for  a  discussion 
of  the  evaluation  scope  and  methodology  and  prior  coverage. 
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Defense  Contract  Audit  Agency  Audit 
Coverage  of  Contractor  Ethics  Program 


Since  FY  1995,  the  DCAA  has  performed  reviews  of  a  contractor’s 
ethics  program  as  part  of  its  internal  control  system  reviews  of  the 
control  environment  and  accounting  system.  The  review  did  not, 
however,  cover  all  elements  of  a  management  control  system  as  defined 
in  the  DFARS.  Therefore,  although  the  internal  control  system  review 
covered  the  areas  noted  in  the  auditing  standards,  it  did  not  address  the 
additional  areas  unique  to  the  DoD  business  environment.  The  audit 
coordination  between  DCAA  offices  cognizant  of  corporate  locations  and 
those  offices  cognizant  of  associated  contractor  entities  also  needed 
improvement.  Finally,  we  identified  instances  at  each  of  the  three 
offices  visited  where  improvements  could  have  been  made  to  the  testing 
of  internal  controls.  Procedures  for  coordinating  audit  work  did  not 
adequately  address  some  situations  involving  corporate  offices  and 
associated  contractor  entities.  Weaknesses  in  performing  compliance 
testing  when  needed  were  caused  by  unclear  audit  guidance;  however, 
during  our  evaluation,  DCAA  management  clarified  the  pertinent 
guidance,  resolving  the  issue.  Enhanced  audit  coverage  of  a  contractor’s 
control  environment  will  lead  to  improved  risk  assessments  and  allow 
DCAA  to  better  allocate  its  limited  audit  resources  to  higher-risk 
contractors  with  inadequate  ethics  programs.  In  addition,  by  performing 
additional  audit  work  to  include  the  DFARS  criteria,  DCAA  can  provide 
information  to  contracting  officers  and  DoD  officials  that  can  be  used  to 
evaluate  a  contractor’s  past  performance  and  present  responsibility.  This 
additional  information  can  also  be  the  basis  for  increasing  or  decreasing 
Government  oversight  at  a  contractor  location. 

Internal  Control  System  Audit  and  Risk  Assessment 


Government  auditing  standards  require  auditors  to  obtain  a  sufficient 
understanding  of  the  contractor  internal  control  structure  as  a  basis  for  assessing 
risk.  The  auditor  uses  this  assessment  of  control  risk  to  properly  plan  the  audit 
and  to  determine  the  nature,  timing,  and  extent  of  the  testing  needed. 

Internal  Control  System  Review  Process.  In  FY  1995,  DCAA  instituted  a 
new  process  for  assessing  and  documenting  the  control  risk  for  major 
contractors.  The  new  process  incorporated  the  requirements  of  the  Statement  on 
Auditing  Standards  (SAS)  No.  55,  “Consideration  of  the  Internal  Control 
Structure  in  a  Financial  Statement  Audit,”  for  assessing  control  risks.  The 
DCAA  determined  that  10  common  accounting  and  management  systems  existed 
in  the  contract  audit  environment.  The  10  systems  selected  for  standard  internal 
control  reviews  included:  control  environment  and  overall  accounting  controls, 
general  electronic  data  processing  system,  budget  and  planning  system, 
purchasing  system,  material  system,  compensation  system,  labor  system, 
indirect  and  other  direct  cost  system,  billing  system,  and  estimating  system. 
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The  DCAA  then  established  standard  control  objectives  and  associated  audit 
procedures  for  each  system.  DCAA  included  the  following  factors  in  its 
assessment  of  the  control  environment: 

•  integrity  and  ethical  values, 

•  board  of  directors  or  audit  committee  participation, 

•  organizational  structure,  and 

•  assignment  of  authority  and  responsibility. 

SAS  No.  78,  “Consideration  of  Internal  Control  in  a  Financial 
Statement  Audit:  An  Amendment  to  SAS  No.  55” 


The  American  Institute  of  Certified  Public  Accountants  (AICPA)  auditing 
standards  define  internal  control  as  a  “process-effected  by  an  entity’s  board  of 
directors,  management,  and  other  personnel  designed  to  provide  reasonable 
assurance  regarding  the  achievement  of  objectives  in  the  following  categories: 

(a)  reliability  of  financial  reporting,  (b)  effectiveness  and  efficiency  of 
operations,  and  (c)  compliance  with  applicable  laws  and  regulations.”  Internal 
control  consists  of  the  control  environment,  risk  assessment,  control  activities, 
information  and  communication,  and  monitoring. 

Control  Environment.  The  control  environment  functions  as  the  foundation 
for  the  other  four  components.  It  establishes  the  organizational  tone  that 
influences  employee  values  and  decisionmaking  and  provides  discipline  and 
structure.  The  auditor  should  consider  the  following  factors  in  evaluating  an 
entity’s  control  environment: 

•  integrity  and  ethical  values, 

•  commitment  to  competence, 

•  board  of  directors  or  audit  committee  participation, 

•  management  philosophy  and  operating  style, 

•  organizational  structure, 

•  assignment  of  authority  and  responsibility,  and 

•  human  resource  policies  and  practices. 

Other  Considerations.  The  auditor  must  also  assess  internal  controls  in  light  of 
the  entity’s  size;  organizational  and  ownership  characteristics;  the  nature  of  the 
entity’s  business;  the  diversity  and  complexity  of  the  entity’s  operations;  the 
entity’s  methods  of  transmitting,  processing,  maintaining,  and  accessing 
information;  and  applicable  legal  and  regulatory  requirements. 

An  effective  control  environment  should  reduce  the  chance  of  improper  conduct 
by  management.  Custom,  corporate  culture,  and  the  corporate  governance 
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system  can  hinder,  but  not  completely  prevent,  management  from  performing 
irregularities.  A  control  environment  consisting  of  an  effective  board  of 
directors,  audit  committee,  and  internal  audit  department  should  also  diminish 
the  possibility  of  irregularities.  On  the  other  hand,  a  control  environment  or 
corporate  culture  can  minimize  the  effectiveness  of  other  elements  of  the 
internal  control  system.  For  instance,  management  incentives  based  on 
increases  in  stock  value  could  result  in  irregularities. 

Tests  of  Controls.  The  auditor  should  consider  both  the  essence  of  the  controls 
and  their  impact  as  a  whole.  Because  entities  may  write  policies  establishing 
controls  but  not  properly  implement  the  controls,  auditors  should  concentrate  on 
understanding  the  substance  of  the  controls  (how  they  are  implemented)  versus 
their  form  (what  the  policies  say). 

DCAA  Audit  Guidance 


Current  DCAA  audit  guidance  does  not  consider  all  the  criteria  listed  in  DFARS 
203.7001  as  applicable  to  a  good  management  control  system.  The  standard 
audit  guidance  in  the  “DCAA  Contract  Audit  Manual,”  DCAAM  7640.1 
(DCAM)  partially  addresses  five  elements  and  does  not  cover  the  remaining  two 
elements.  By  revising  the  audit  guidance  to  include  all  the  elements  listed  in  the 
DFARS,  DCAA  internal  control  reviews  and  the  associated  risk  assessments 
will  provide  a  more  complete  picture  of  a  DoD  contractor’s  control 
environment.  Specifically,  we  asked  DCAA  management  to  consider  the 
following  revisions: 

•  Enhancing  guidance,  to  include  requesting  a  system  description  from 
the  contractor,  if  available.  (DFARS  203.7001  [a]) 

•  Adding  guidance  to  verify  that  a  contractor’s  ethics  training  program 
covers  all  employees .  (DFARS  203 . 700 1  [a]  [  1  ]) 

•  Adding  guidance  to  verify  that  the  contractor  has  policies  and 
procedures  in  place  that  require  timely  reporting  to  appropriate 
Government  officials  of  any  suspected  or  possible  violation  of  law  or 
suspected  irregularity  in  connection  with  a  Government  contract. 
(DFARS  203.70001  [a][6]) 

•  Adding  guidance  to  verify  that  the  contractor  has  policies  and 
procedures  that  require  full  cooperation  with  any  Government  agency 
responsible  for  investigations  or  corrective  actions.  (DFARS 
203.7001[a][7]) 

•  Enhancing  or  clarifying  existing  guidance  to  specify  that  the  auditor 
should  determine  whether  the  contractor  has  an  internal  reporting 
mechanism,  such  as  a  hotline,  that  employees  can  use  to  report 
suspected  instances  of  improper  conduct,  and  whether  employees  are 
encouraged  to  do  so.  (DFARS  203.7001[a][3]) 

•  Enhancing  or  clarifying  existing  guidance  to  emphasize  that  the 
contractor  should  conduct  periodic  reviews  of  company  business 
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practices,  procedures,  policies,  and  internal  controls  for  compliance 
with  standards  of  conduct  and  unique  requirements  of  Government 
contracting.  (DFARS  203 .700 1  [a] [2]) 

•  Clarifying  existing  guidance  of  internal  audits  being  performed. 
(DFARS  203.7001[a][4]) 

•  Clarifying  existing  guidance  of  external  reviews  being  performed 
relating  to  a  contractor’s  ethics  program  instead  of  the  internal 
control  system.  (DFARS  203.7001[a][4]) 

•  Adding  an  audit  step  to  determine  whether  the  contractor  posts  the 
DoD  Hotline  poster  if  it  does  not  have  an  internal  reporting 
mechanism.  (DFARS  203.7001  [b]) 

DCAA  Audit  Coverage 


Board  of  Directors,  Audit  Committee,  and  Internal  Audit  Staff.  Our  review 
found  that  at  one  of  the  three  fieldwork  locations,  the  audit  coverage  of  this  area 
could  be  improved  with  better  audit  guidance.  Existing  guidance  does  not 
differentiate  between  reviewing  the  board  of  directors  and  the  audit  committee. 
Each  group  performs  different  control  activities.  In  addition,  external  groups 
such  as  the  AICPA,  the  Institute  of  Internal  Auditors,  and  the  Securities  and 
Exchange  Commission  have  increased  their  emphasis  on  the  importance  of  the 
audit  committee,  providing  additional  guidelines  for  audit  coverage  that  may  not 
have  existed  4  years  ago.  Therefore,  we  suggested  to  DCAA  management  that 
they  consider  amending  the  existing  audit  guidance  as  follows: 

•  Revise  guidance  to  provide  a  separate  review  of  the  board  of 
directors  and  the  audit  committee.  The  review  should  concentrate  on 
the  audit  committee  and  its  interaction  with  the  internal  audit  staff 
because  additional  emphasis  is  now  being  placed  in  this  area.  For 
instance,  the  audit  committee  should  have  a  charter,  be  independent 
of  company  management,  and  take  an  active  role  in  overseeing  the 
internal  audit  department.  The  internal  audit  manager  should  meet 
privately  at  least  once  a  year  with  the  chair  of  the  audit  committee  to 
discuss  any  sensitive  issues. 

•  Revise  coverage  of  the  internal  audit  staff.  The  first  audit  step 
should  be  to  determine  whether  the  internal  audit  staff  performed  any 
reviews  in  this  area.  If  the  internal  audit  staff  has  not  reviewed  the 
ethics  program,  the  review  of  its  function  should  be  minimal  at  this 
time.  General  areas  to  be  covered  should  include  independence, 
objectivity,  scope  of  work,  management  of  the  department,  and  the 
followup  system  for  audit  recommendations. 

DCAA  Audit  Process.  DCAA  classifies  contractor  entities  as  either  major  or 
nonmajor,  depending  on  the  annual  auditable  dollar  amounts  at  each  entity.  For 
instance,  a  major  contractor  is  one  that  has  $80  million  or  more  in  annual 
auditable  dollars.  The  audit  risk  assessment  process  for  nonmajor  contractors  is 
different  from  the  process  DCAA  uses  for  major  contractors.  For  nonmajor 
contractors,  the  audit  office  may  use  a  short  form  internal  control  questionnaire 
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or  perform  the  internal  control  system  review(s)  already  described.  The  short 
form  internal  control  questionnaire  is  primarily  an  information-gathering  device 
with  no  independent  review  required.  Although  the  short  form  requires  less 
audit  effort,  it  provides  less  independently  analyzed  audit  evidence.  For  many 
nonmajor  contractors,  the  short  form  is  acceptable;  however,  in  certain  cases, 
the  complete  internal  control  system  review  is  beneficial.  One  example  is  when 
a  corporate  office  is  classified  as  nonmajor,  but  one  or  more  of  its  divisions, 
subsidiaries,  group  offices,  or  other  entities  is  considered  a  major  contractor. 
Auditors  located  at  the  corporate  office  should  obtain  the  information  and 
perform  the  analyses  required  to  properly  complete  some  parts  of  the  internal 
control  system  review  for  the  control  environment  and  the  accompanying  risk 
assessment  that  affects  similar  reviews  for  all  of  the  contractor’s  entities. 

Evaluation  Results.  Two  locations  we  reviewed  had  nonmajor  corporate 
offices  audited  by  another  DCAA  office.  One  office  requested  an  assist  audit 
from  the  office  cognizant  of  the  corporate  office.  The  other  office  obtained 
relevant  information  in  a  less  formal  manner.  The  audit  office  that  used  an 
informal  process  did  not  receive  sufficient,  relevant  information  for  all  of  the 
required  audit  program  steps.  However,  the  audit  office  that  requested  an  assist 
audit  received  an  audit  report  addressing  all  of  the  requested  audit  program 
steps.  The  deficiencies  identified  at  both  offices  in  the  information  received 
were  caused  by  the  existing  audit  program  or  the  method  used  to  coordinate 
information  requirements  between  the  two  offices.  Audit  coverage  of  nonmajor 
corporate  entities  could  be  improved  by  revising  existing  audit  guidance  to 
require  the  DCAA  audit  office  cognizant  of  the  major  contractor  entity  to 
formally  request  an  assist  audit  from  the  DCAA  office  cognizant  of  the 
nonmajor  corporate  office.  By  requesting  an  assist  audit,  the  DCAA  office 
responsible  for  performing  the  internal  control  system  review  could  specify 
exactly  the  information  required  from  the  other  DCAA  office.  This  would 
result  in  a  more  thorough  system  review  and  risk  assessment. 

Compliance  Testing  During  the  Internal  Control  Review  of  the  Control 
Environment.  We  noted  improvements  that  DCAA  could  make  in  performing 
compliance  testing  at  all  three  locations.  At  each  location,  DCAA  auditors 
could  have  better  executed  certain  audit  steps  if  compliance  testing  had  been 
done.  For  instance,  at  one  location,  the  auditor  accepted  the  contractor- 
provided  list  of  employees  who  had  attended  ethics  training  without  checking 
other  records  such  as  employee  personnel  files.  The  lack  of  compliance  testing 
during  certain  internal  control  system  reviews  was  reported  previously  in 
Evaluation  Report  No.  PO  98-6-016,  “Defense  Contract  Audit  Agency  Audits 
of  Indirect  Costs  at  Major  Contractors,”  August  8,  1998.  DCAA  management 
had  agreed  to  clarify  guidance  dealing  with  compliance  testing  (tests  of 
controls).  On  May  10,  1999,  DCAA  issued  Memorandum  for  Regional 
Directors  99-PIC-057(R)  that  notified  the  regional  offices  of  the  revisions.  In 
the  January  2000  DCAM,  DCAA  revised  chapter  5-108,  “Test  of  Controls.” 
We  agree  with  DCAA  management  that  the  revision  should  improve 
implementation  of  the  audit  guidance  in  the  field. 

Planned  Management  Actions 


We  met  with  DCAA  management  to  discuss  our  findings,  concerns,  and 
potential  recommendations.  DCAA  managers  were  open  to  suggestions  for 


8 


improving  its  audit  guidance.  They  agreed  to  revise  existing  DCAA  guidance  to 
ensure  appropriate  coverage  of  DFARS  subpart  203.70.  They  have  also  agreed 
to  revise  the  standard  audit  program  to  clarify  the  audit  responsibilities  for 
DCAA  offices  cognizant  of  both  nonmajor  contractor  corporate  offices  with 
major  entities  and  those  offices  cognizant  of  the  associated  major  entities.  We 
appreciate  the  timely  action  taken  by  DCAA  management  to  address  these 
issues.  We  consider  the  planned  management  actions  to  be  fully  responsive  to 
our  concerns;  therefore,  no  recommendations  have  been  made. 

Summary 


Government  auditing  standards  require  the  auditor  to  obtain  a  sufficient 
understanding  of  the  contractor’s  internal  control  structure  as  a  basis  for 
assessing  audit  risk.  The  auditor  is  to  use  this  assessment  to  properly  plan  the 
audit  and  determine  the  nature,  timing,  and  extent  of  testing  needed.  A  key  part 
of  this  process  is  the  internal  control  system  review  and  the  associated  risk 
assessment  of  the  contractor’s  overall  control  environment.  The  control 
environment  for  a  DoD  contractor  includes  its  ethics  program  and  other  self- 
governance  activities.  By  enhancing  audit  coverage  to  ensure  coverage  of  the 
management  control  system  described  in  DFARS  subpart  203.70,  DCAA  will 
improve  its  risk  assessment  of  the  control  environment.  This  will  allow  DCAA 
audit  offices  to  better  use  their  limited  audit  resources  to  review  high-risk 
contractors.  DCAA  will  also  be  able  to  provide  more  detailed  information  on  a 
contractor’s  ethics  program  in  internal  control  system  reports  to  contracting 
officers.  Contracting  officers  can  use  this  information  during  the  preaward 
process  to  help  evaluate  a  contractor’s  present  responsibility  or  past 
performance.  DoD  may  also  be  able  to  use  this  information  to  determine  the 
appropriate  level  of  DoD  oversight  needed  at  a  particular  contractor  location. 
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Appendix  A.  Evaluation  Process 

Scope 


The  evaluation  was  reannounced  under  Project  No.  90C-9006  on 
April  29,  1999.  During  the  evaluation,  we  visited  three  DCAA  audit  offices 
responsible  for  major  contractors  and  one  office  cognizant  of  a  corporate  office. 
We  reviewed  selected  portions  of  various  audit  assignments  relating  to 
contractor  ethics  programs.  We  reviewed  the  following  audit  assignments  and 
related  documentation: 

•  reviews  of  internal  controls  for  the  control  environment  and  overall 
accounting  system; 

•  internal  control  audit  planning  summary  forms  for  the  control 
environment  and  overall  accounting  system; 

•  Cost  Accounting  Standard  (CAS)  audits,  including  CAS  405, 
“Accounting  for  Unallowable  Costs,”  and  CAS  418,  “Allocation  of 
Direct  and  Indirect  Cost”;  and 

•  audits  and  reports  on  incurred  costs. 

We  met  with  the  DCMA  headquarters  representatives  to  discuss  reviews  of 
contractors’  ethics  programs.  We  also  met  with  the  DLA  Office  of  General 
Counsel  to  determine  their  level  of  involvement  and  information  available  on 
contractors’  ethics  programs  and  reviews  conducted. 

Our  initial  objectives  included  determining  how  DoD  relies  on  contractor  self- 
governance  programs  such  as  an  ethics  program.  However,  after  performing 
fieldwork,  we  emphasized  the  DCAA  role  in  evaluating  and  reporting  on  a 
contractor’s  ethics  program.  A  summary  of  how  DoD  uses  such  information 
can  be  found  in  the  Background  section  of  this  report. 

General  Accounting  Office  High-Risk  Area.  The  General  Accounting  Office 
has  identified  several  high-risk  areas  in  the  DoD.  This  report  provides  coverage 
of  the  Defense  Contract  Management  high-risk  area. 

Methodology 


Use  of  Computer-Processed  Data.  We  relied  on  data  we  received  from  the 
DCAA  Agency  Management  Information  System.  Based  on  our  previous 
reviews  of  the  accuracy  of  DCAA  data  in  the  Inspector  General,  DoD, 
Semiannual  Report  to  Congress  and  the  actions  DCAA  has  taken  in  response  to 
conditions  identified,  we  considered  the  data  adequate  for  our  review. 

Universe  and  Sample  Selection.  We  judgmentally  selected  three  major 
contractor  entities,  each  from  a  different  DCAA  region.  We  visited  the  three 
audit  offices  cognizant  of  the  selected  contractor  entity  and  either  visited  or 
requested  information  from  the  audit  office  cognizant  of  the  corporate  records. 
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When  selecting  a  contractor  entity  to  be  reviewed,  we  also  considered  a 
contractor’s  size  (dollar  amount  of  contract  awards),  participation  in  a  voluntary 
disclosure  program,  and  other  information  on  its  ethics  program. 

We  also  judgmentally  selected,  for  a  limited  review,  25  additional  major 
contractor  entities  that  had  nonmajor  corporate  offices.  We  obtained 
information  from  the  DCAA  office  cognizant  of  the  major  contractor  entity  to 
determine  how  that  office  completed  the  portion  of  the  control  environment 
review  dealing  with  corporate  office  functions. 

We  also  judgmentally  selected  14  SFs  1403,  “Preaward  Survey  of  Prospective 
Contractor  (General),”  from  3  DCMA  locations.  We  reviewed  the  sampled 
surveys  to  determine  whether  the  contracting  officer  had  asked  for  or  received 
any  information  about  a  contractor’s  ethics  program. 

Evaluation  Type,  Dates,  and  Standards.  We  performed  this  evaluation  from 
February  through  October  1999  in  accordance  with  standards  issued  and 
implemented  by  the  Inspector  General,  DoD.  We  did  not  include  tests  of  the 
management  control  program(s). 

Contacts  During  the  Evaluation.  We  visited  or  contacted  individuals  and 
organizations  within  the  DoD.  Further  details  are  available  on  request. 


Prior  Coverage 

No  prior  coverage  has  been  conducted  on  the  subject  during  the  last  5  years. 


Appendix  B.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics 
Director,  Defense  Logistics  Studies  Information  Exchange 
Director,  Defense  Procurement 
Under  Secretary  of  Defense  (Comptroller) 

Assistant  Secretary  of  Defense  (Legislative  Affairs) 

Department  of  the  Army 

Auditor  General,  Department  of  the  Army 
Commander,  United  States  Legal  Services  Agency 

Department  of  the  Navy 

Office  of  the  General  Counsel,  Department  of  the  Navy 
Naval  Inspector  General 

Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Office  of  the  General  Counsel,  Department  of  the  Air  Force 

Other  Defense  Organizations 

Director,  Defense  Contract  Audit  Agency 
Director,  Defense  Contract  Management  Agency 
Director,  Defense  Logistics  Agency 


Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Management,  Information,  and  Technology, 
Committee  on  Government  Reform 

House  Subcommittee  on  National  Security,  Veterans  Affairs,  and  International 
Relations,  Committee  on  Government  Reform 
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